The Development of a Data-Centred Conceptual Reference Model for Strategic GRC-Management


Until now there are only few ideas for an integrated governance, risk and compliance (GRC) management available with these referring to the management process of GRC only. In literature, mainly specific questions at a detailed level, like the automation of different controls, are discussed in the GRC context. To be in the position to entirely realise benefit potentials (e.g. improvement of processes), it is necessary to have an integrated GRC-Management focusing on the strategic business objectives. Starting from the requirements, this article deals with general guidelines for strategic GRC-Management showing which aspects have to be considered in terms of an integral approach. On this basis, a data-centred reference model explicates the structural connections of GRC-related data, and lays the basis for the implementation in practice.

Share and Cite:

Nissen, V. and Marekfia, W. (2014) The Development of a Data-Centred Conceptual Reference Model for Strategic GRC-Management. Journal of Service Science and Management, 7, 63-76. doi: 10.4236/jssm.2014.72007.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] Peffers, K., Tuunanen, T., Rothenberger, M.A. and Chatterjee, S. (2007) A Design Science Research Methodology for Information Systems Research. Journal of Management Information Systems, 24, 45-77.
[2] Teubner, A. And Feller, T. (2008) Informationstechnologie, Governance und Compliance. Wirtschaftsinformatik, 50, 400-407.
[3] Open Compliance & Ethics Group (2012) 2012 GRC Maturity Survey.
[4] Menzies, C. (2006) Sarbanes-Oxley und Corporate Compliance—Nachhaltigkeit, Optimierung, Integration. Schaffer-Poeschel, Stuttgart.
[5] Mitchell, S.L. and Switzer, C.S. (2009) GRC Capability Model. Red Book 2.0. Open Compliance & Ethics Group, Phoenix.
[6] Racz, N., Weippl, E. and Seufert, A. (2010) A Process Model for Integrated IT Governance, Risk & Compliance Management. Proceedings of the Ninth Baltic Conference on Databases and Information Systems (DB&IS '10), Riga, 155-170.
[7] Racz, N., Weippl, E. and Seufert, A. (2010) A Frame of Reference for Research of Integrated GRC. In: De Decker, B. and Schaumuller-Bichl, I., Eds., Communications and Multimedia Security. Proceedings of CMS, Springer, Berlin, 106-117.
[8] vom Brocke, J. (2003) Referenzmodellierung. Gestaltung und Verteilung von Konstruktionsprozessen. Logos, Berlin.
[9] Milicevic, D. and Goeken, M. (2010) Konzepte der Informationssicherheit in Standards am Beispiel der ISO 27001. In: Fahnrich, K.P. and Franczyk, B., Eds., Proc. Informatik 2010, LNI Vol. 176, Kollen, Bonn, 305-310.
[10] Zelewski, S. (1999) Ontologien zur Strukturierung von Domanenwissen—Ein Annaherungsversuch aus betriebswirtschaftlicher Perspektive. Technical Report No. 3, Institut fur Produktion und Industrielles Informationsmanagement, Essen.
[11] Scheer, A.-W. (2002) ARIS—Vom Geschaftsprozeß zum Anwendungssystem. 4th Edition, Springer, Berlin.
[12] OMG (2010) Unified Modelling Language: Infrastructure, Version 2.3. OMG, Needham.
[13] Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004) Design Science in Information System Research. MISQ, 28, 75-105.
[14] Hevner, A.R. and Chatterjee, S. (2010) Design Research in Information Systems: Theory and Practice. Springer, Berlin.
[15] Becker, J., Delfmann, P., Knackstedt, K. and Kuropka, K. (2002) Konfigurative Referenzmodellierung. In: Becker, J. and Knackstedt, R., Eds., Wissensmanagement mit Referenzmodellen. Konzepte fur die Anwendungssystem-und Organisationsgestaltung, Physica, Heidelberg, 25-144.
[16] Marekfia, W. and Nissen, V. (2012) Anforderungen an ein strategisches GRC-Management. Proceedings of Informatik, 731-745.
[17] Verhoef, T.F., Hofstede, A.H.M.T. and Wijers, G.M. (1991) Structuring Modelling Knowledge for CASE Shells. In: Andersen, R., Bubenko, J. and Soelvberg, A., Eds., Advanced Information Systems Engineering, CAiSE’91, Trondheim, Norway, 13-15 May 1991, Lecture Notes in Computer Science 498, Springer, Berlin, 1991, 502-524..
[18] Chen, P.P.-S. (1976) The Entity-Relationship Model—Toward a Unified View of Data. ACM Transactions on Database Systems, 1, 9-36.
[19] vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R. and Cleven, A. (2009) Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process. In: Newell, S., Whitley, E., Pouloudi, N., Wareham, J. and Mathiassen, L., Eds., Proceedings of the ECIS 2009, 17th European Conference On Information Systems, Verona, 2206-2217.
[20] Bohnsack, R., Marotzki, W. and Meuser, M. (2006) Hauptbegriffe Qualitativer Sozialforschung. 2nd Edition, Budirch, Opladen.
[21] The IT Governance Institute (ITGI, Hrsg.) (2007) COBIT 4.1.
[22] Sadiq, S., Governatori, G. and Naimiri, K. (2007) Modeling Control Objectives for Business Process Compliance. Proceedings of the 5th Conference on Business Process Management, Lecture Notes in Computer Science 4714, 149-164.
[23] Sienou, A., Lamine, E. and Pingaud, H. (2008) A Method for Integrated Management of Process-Risk. Proceedings of GRCIS, Springer, Berlin, 16-30.
[24] Silveira, P., Rodriguez, C., Casati, F., Daniel, F., D’Andrea, V., Worledge, C. and Taberi, Z. (2009) On the Design of Compliance Governance Dashboards for Effective Compliance and Audit Management. Proceedings of ICSOC Workshops, 6275, 208-217.
[25] El Kharbili, M., Stein, S. and Pulvermuller, E. (2008) Policy-Based Semantic Compliance Checking for Business Process Management. Proc. MobIS Saarbrucken 2008, LNI Vol. P 141, Kollen, Bonn, 178-192.
[26] Goedertier, S. and Vanthienen, J. (2006) Business Rules for Compliant Business Process Models. Proceeding of International Conference on Business Information Systems (BIS 2006), Klagenfurt, 31 May-2 June 2006, 558-572.
[27] Weigand, H., van den Henvel, W.J. and Hiel, M. (2011) Business Policy Compliance in Service-Oriented Systems. Information Systems, 36, 791-807.
[28] Namiri, K. and Stojanovic, N. (2007) A Semantic-Based Approach for Compliance Management of Internal Controls in Business Process Management. In: Advanced Information Systems Engineering, 19th International Conference CAiSE 2007, Trondheim, Norway, 11-15 June 2007, Proceedings. Springer, Berlin, 61-64.
[29] Sackmann, S. (2008) A Reference Model for Process-Oriented IT Risk Management. In: Golden, W., Acton, T., Conboy, K., Heijden, H.V.D. and Tuunainen, K., Eds., Proceedings of ECIS, GITO-Verlag, Berlin, 1137-1148.
[30] Teuteberg, F. and Freundlieb, M. (2009) Compliance Management mit betrieblichen Umweltinformationssystemen. Wisu—Das Wirtschaftsstudium, 4, 550-557.
[31] Sackmann, S. (2008) Automatisierung von Compliance. HMD—Praxis der Wirtschaftsinformatik, 45, 39-46.
[32] Pohlman, M. (2008) Oracle Identity Management: Governance, Risk, and Compliance Architecture. 3rd Edition, CRC Press, Boca Raton.
[33] International Organization for Standardization and International Electro Technical Commission (ISO, IEC Hrsg.) (2008) Corporate Governance of Information Technology. Geneva.
[34] Institut der Wirtschaftsprufer in Deutschland e.V. (IDW, ed.) (2010) Entwurf IDW Prufungsstandard: Grundsatze ordnungsmaßiger Prufung von Compliance Management Systemen. (IDW EPS 980) Stand: 11.03.2010. Dusseldorf.
[35] Withus, K.H. (2010) Sicherstellung der Compliance durch wirksame Managementsysteme. Zeitschrift fur Interne Revision, 7, 99-108.
[36] Johannsen, W. and Goeken, M. (2006) IT-Governance—Neue Aufgaben des IT-Managements. HMD—Praxis der Wirtschaftsinformatik, 250, 7-20.
[37] Bhimani, A. (2009) Risk Management, Corporate Governance and Management Accounting. Emerging Interdependencies. Management Accounting Research, 20, 2-5.
[38] Klotz, M. (2009) IT-Compliance: Ein Uberblick. Dpunkt, Heidelberg.
[39] Deutsches Institut fur Interne Revision (2011) Internationale Standards fur die berufliche Praxis der Internen Revision 2011. Frankfurt am Main.
[40] Muller, G. (2007) Fur Sie gelesen. Wirtschaftsinformatik, 49, 107-109.
[41] Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A. and Boss, R.W. (2009) If Someone Is Whatching, I’ll Do What I’m Asked: Mandatories, Control, and Information Security. European Journal of Information Systems, 18, 151-164.
[42] Herath, T. and Rao, R. (2009) Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations. European Journal of Information Systems, 18, 106-125.
[43] Abdullah, S.N., Indulska, M. and Sadiq, S. (2010) Emerging Challenges in Information Systems Research for Regulatory Compliance Management. In: Hutchinson, et al., Eds., Advanced Information Systems Engineering, 22nd International Conference, CAiSE 2010, Hammamet, Tunisia, 7-9 June 2010. Proceedings, Springer, Berlin, 251-265.
[44] Schutte, R. (1997) Die neuen Grundsatze ordnungsmaßiger Modellierung. Paper Presented at Forschungs Forum, Leipzig, 1997, 16.09-20.09.97.
[45] Fettke, P. and Loos, P. (2004) Entwicklung eines Bezugsrahmens zur Evaluierung von Referenzmodellen. In: Loos, P., Ed., Working Papers of the Research Group Information Systems & Management, Vol. 20, ISYM—Information Systems & Management, Mainz.
[46] Gericke, A., Fill, H.G., Karagiannis, D. and Winter, R. (2009) Situational Method Engineering for Governance, Risk and Compliance Information Systems. Proc. DESRIST 2009, ACM Press, New York, Article No: 24.
[47] Kley, W.D. (2011) Risiko-und Chancenmanagement der MAN SE. Zeitschrift fur Controlling & Management, 55, 105-110.
[48] Frohlich, M. and Glasner, K. (2007) IT Governance. Leitfaden fur eine praxisgerechte Implementierung. Gabler, Wiesbaden.
[49] Tullner, J. (2012) Integration von Governance, Risikomanagement und Compliance. Erfahrungsbericht uber ein Projekt zur Optimierung der Unternehmenssteuerung und einen ganzheitlichen Losungsansatz. Zeitschrift fur Corporate Governance, 7, 118-121.
[50] Gigerl, T., Unger, C. and Baumgartner, C. (2007) Umsetzung eines integrierten IT-Compliance-Frameworks—am Beispiel ALTANA Pharma. Information Management & Consulting, 22, 70-77.
[51] Just, D. and Tami, F. (2007) Praxisbeispiel: Bewertung von Applikationsportfolios und IT-Prozessen. In: Johannsen, W. and Goeken, M., Eds., Referenzmodelle fur IT-Governance. Strategische Effektivitat und Effizienz mit COBIT, ITIL & Co, Dpunkt.verlag, Heidelberg, 225-242.

Copyright © 2023 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.